Re: [clamav-users] Malwarepatrol false positives
I've had to exempt 4 MBL sigs in 24 hours. Where's the QC? I'm on a knife edge about just dropping MBL. From: clamav-userson behalf of Alex Sent: Friday, April 27, 2018 8:22:05 PM To: ClamAV users ML Subject: [clamav-users] Malwarepatrol false positives Hi, I can't imagine outright blocking https://goo.gl is not a mistake. $ sigtool --find-sigs MBL_6888621 | sigtool --decode-sigs VIRUS NAME: MBL_6888621 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: https://goo.gl MBL_6882958 and MBL_6888621 both hit on https://goo.gl. I've reported this to them hours ago and still no update so wanted to be sure people knew about it here. ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] FP Ppt.Exploit.CVE_2017_0199-6336815-1
Hi, Getting hits today on this entry in daily.cld. [root@smtp1 clamav]# sigtool --find-sigs Ppt.Exploit.CVE_2017_0199-6336815-1|sigtool --decode-sigs VIRUS NAME: Ppt.Exploit.CVE_2017_0199-6336815-1 TARGET TYPE: ANY FILE OFFSET: * DECODED SIGNATURE: schemas.openxmlformats.org/officedocument{WILDCARD_ANY_STRING(LENGTH<=500)}script: Thanks! ___ clamav-users mailing list clamav-users@lists.clamav.net http://lists.clamav.net/cgi-bin/mailman/listinfo/clamav-users Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] CryLocker and Cryptolocker
>Does anyone think it's reasonable/acceptable to block all macros in >any sizable organization? Yes. We are 2-4 million messages/day, dunno if that is "sizable" to you. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
Re: [clamav-users] Why are the ClamAV team so slow at creating signatures ?
On 10/06/2014 08:32 AM, Webmaster wrote: Le lundi 6 octobre 2014, 10:05:11 Alain Zidouemba a écrit : If you think it needs to be quicker, then maybe you could volunteer your time to help with the analysis (I'm not sure how you'd go about this) Or use this : https://securiteinfo.com/services/clamav_unofficial_malwares_signatures.shtml It rises Clamav detection rate up to 80% on 0-day malwares. Speaking of SecuriteInfo, is the High Risk label deserved for the spam_marketing signatures? Have used all the others in the Securite list but that one. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/contact.html#ml
[clamav-users] signature that penalizes for line length?
Hi, We use ClamAV, and I have noticed a certain class of spam hitting us lately that has VERY long final lines of garbage text. The reason I noticed it was the length exceeds 2048 characters, which trips a problem in POP3 client downloads. Anyhow is there any signature that can be used to score and penalize text/plain messages with excessively long lines? Thanks! ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] signature that penalizes for line length?
It's late and I should have thought this through better. Thanks! On 6/14/2014 1:05 AM, Al Varnell wrote: In general terms, ClamAV® looks for malware and not spam. There are some additional “unofficial” signature databases that can be subscribed to and work with the ClamAV® scan engine, so I suggest taking a look at Sanesecurity http://sanesecurity.com to see if they have what you need. Steve runs things there and subscribes to this list so will probably have some more specific knowledge. -Al- On Sat, Jun 14, 2014 at 12:56 AM, Vincent Fox wrote: Hi, We use ClamAV, and I have noticed a certain class of spam hitting us lately that has VERY long final lines of garbage text. The reason I noticed it was the length exceeds 2048 characters, which trips a problem in POP3 client downloads. Anyhow is there any signature that can be used to score and penalize text/plain messages with excessively long lines? ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Block all EXE/SRC or MS-EXE/DLL file
On 4/8/2014 8:12 PM, Carl Brewer wrote: On 13/02/2014 8:48 PM, Sim wrote: Hello! In the last weeks/months the unrecognized virus are increasingly exponentially (not only for Clamav but for all antivirus). My idea is block all EXE/SRC (also into ZIP/RAR). Executing clamscan --debug filename I can see: - LibClamAV debug: Recognized MS-EXE/DLL file - Section contains executable code Which is the best solution/way to block all EXE/executable files? If it's on a mail server, why not use the MTA to block it? We use the signature database Foxhole_all. After a ransomware (Cryptolocker) outbreak unfortunately. That covers most dangerous types inside ZIP, RAR. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] Heuristics.Phishing.Email.SpoofedDomain false-positive
Comment about this feature, which I've never turned on before. I flipped it on, for a single mail router in a pool of 9. Over the course of a day and MANY messages, it tripped for only 4 messages, all of which seem legit. So I'm turning it back off. ___ Help us build a comprehensive ClamAV guide: https://github.com/vrtadmin/clamav-faq http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
On 8/13/2013 9:46 PM, Matt Olney wrote: OK...I'll do some testing tomorrow and see if we can't come up with some information for you. Mainly I want MX pool heavy on signatures. I tested shorter list on SMTP pool: ss_dbs= blurl.ndb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb junk.ndb jurlbl.ndb jurlbla.ndb lott.ndb phish.ndb phishtank.ndb rogue.hdb sanesecurity.ftm scam.ndb sigwhitelist.ign2 spam.ldb spamimg.hdb winnow_malware.hdb winnow_phish_complete_url.ndb Which got it back down to about 30 seconds. There are 3 signatures that seem a large drag on startup: bofhland cracked, scamnailer, and securiteinfo Thanks! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
On 8/14/2013 7:58 AM, G.W. Haywood wrote: Hi there, On Wed, 14 Aug 2013, Vincent Fox wrote: Re: clamd taking too long to restart? Previously I was using a short list of signatures and startup time of 30 seconds which was acceptable. Well it didn't get noticed much. However recently I added a kitchen sink of extra databases like winnow etc. Now startup time is 2.5 minutes, which becomes noticeable. The kitchen sink of databases is very useful, I see more trash being caught by them than I see viruses being caught by main and daily. Actually the vast bulk of the problem seems to come from bofhland Cracked URL. Removing that database on my SMTP servers, cut restart time to 34 seconds. Any way to ameliorate this? Are you using separate processes on each VM? If so you might want to consider using only one of them to run a clamd daemon, and have the others contact it for the service. You could conceivably arrange the clamd daemon to be able to run on any one of the VMs, and then one of them could be providing the service while another was restarted when necessary. When the newly started clamd is ready, switching from one network connection to another will be very quick. You could instead do something similar, but set up another two VMs to provide the clamd service. Then you could stop the whole VM when it isn't being used to provide the clamd service, saving resources. The VMs which provide clamd could be stripped down so that they're small and use minimal resources. I would guess that 200M-300M of RAM and a gigabyte of disc space would be plenty for one of the VMs, all it will ever really do is run a few regex matches. Hmmm yes. We originally had a pool of mail routers, talking to a pool of ClamAV machines. Hardware load balancer made things resilient. However for simplicity of management we collapsed things down so each mail router talked to it's localhost copy of ClamAV. It also allows differentiation, you can easily have differing ClamAV databases for MX, SMTP, MSA hosts. I see now how this led to this particular problem, as the moment sendmail can't contact it's oneonly ClamAV it starts throwing errors. Stupid of me to overlook this deficiency before. With LDAP clients I can define a failover list on a host, so if it can't contact it's primary server it goes to next one. Perhaps something like that here? Thanks for pointing this out. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] clamd taking too long to restart?
Hi, Previously I was using a short list of signatures and startup time of 30 seconds which was acceptable. Well it didn't get noticed much. However recently I added a kitchen sink of extra databases like winnow etc. Now startup time is 2.5 minutes, which becomes noticeable. Any way to ameliorate this? ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] clamd taking too long to restart?
On 8/13/2013 8:49 PM, Matt Olney wrote: Sowhat qualifies as a kitchen sink-load? Most everything that SaneSecurity hosts that is low or medium risk: ss_dbs= blurl.ndb bofhland_cracked_URL.ndb bofhland_malware_URL.ndb bofhland_phishing_URL.ndb bofhland_malware_attach.hdb crdfam.clamav.hdb junk.ndb jurlbl.ndb jurlbla.ndb lott.ndb phish.ndb phishtank.ndb porcupine.ndb rogue.hdb sanesecurity.ftm sigwhitelist.ign2 scam.ndb scamnailer.ndb spam.ldb spamimg.hdb spamattach.hdb spear.ndb spearl.ndb winnow.attachments.hdb winnow_bad_cw.hdb winnow.complex.patterns.ldb winnow_extended_malware.hdb winnow_extended_malware_links.ndb winnow_malware.hdb winnow_malware_links.ndb winnow_phish_complete_url.ndb winnow_spam_complete.ndb si_dbs= securiteinfoelf.hdb securiteinfosh.hdb securiteinfopdf.hdb securiteinfooffice.hdb securiteinfohtml.hdb securiteinfodos.hdb securiteinfobat.hdb securiteinfo.hdb mbl_dbs= mbl.ndb My mail routers are VM's and not the fastest things around but neither are they 486's pulled from a scrap heap: [root@msa3 etc]# grep name /proc/cpuinfo model name : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz model name : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz model name : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz model name : Intel(R) Xeon(R) CPU E5-2670 0 @ 2.60GHz [root@msa3 etc]# grep MemTotal /proc/mem* MemTotal:8057768 kB ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
[clamav-users] n00b question: signatures enabled?
Hi, I've been puzzling over a ClamAV installation I was handed. Is there an easy way to verify which signatures are being loaded/used? It's not clear to me, where you go to enable/disable signatures. I see quite a lot of signatures being downloaded by freshclam and/or the unofficial-sigs.sh jobs. However I don't see evidence in my maillogs of hits on more than 6 of them. We have fairly busy mail routers so I'd expect to hit on some of the others at least once a day. I hunted around on Wiki/FAQ and web searches couldn't find an answer to this. Thanks! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] n00b question: signatures enabled?
Found the answer to part of my question with: clamconf -n I still have a problem that previous admin was downloading lots of unofficial signatures, to a place that clamd isn't paying any attention to. Working on that part. Thanks! On 07/26/2013 12:44 PM, Vincent Fox wrote: Hi, I've been puzzling over a ClamAV installation I was handed. Is there an easy way to verify which signatures are being loaded/used? It's not clear to me, where you go to enable/disable signatures. I see quite a lot of signatures being downloaded by freshclam and/or the unofficial-sigs.sh jobs. However I don't see evidence in my maillogs of hits on more than 6 of them. We have fairly busy mail routers so I'd expect to hit on some of the others at least once a day. I hunted around on Wiki/FAQ and web searches couldn't find an answer to this. Thanks! ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml
Re: [clamav-users] What happened to 12663 ?
On 2/11/2011 8:31 AM, Jan-Pieter Cornet wrote: On the other hand, since you haven't updated ClamAV in over a year, leading to (significantly) decreased detection, maybe the scanning of email isn't top priority, and your mail scanning engine needs to fallback to letting mail through on scan errors. Forgive me for this but 3-4 days after v0.97 is released, v0.95 is considered obsolete and no longer worth testing databases for. However, I don't see that an announcement went out to this effect. And in fact, when you follow the OUTDATED link in the software it mentions 0.94. If you want to consider 0.95 series EOL please update. The test database feature seems plenty reason to upgrade without beating us over the head about what slackers we are. For some of us though it means compiling and deploying to production which carries it's own overhead that may be more than a need it fixed NOW as management wrings its hands. We disabled freshclam and kept running an older database instead. ___ Help us build a comprehensive ClamAV guide: visit http://wiki.clamav.net http://www.clamav.net/support/ml